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ICO consultation on the draft right of access 
guidance 


The right of access (Known as subject access) is a fundamental right 
of the General Data Protection Regulation (GDPR). It allows 
individuals to find out what personal data is held about them and to 
obtain a copy of that data. Following on from our initial GDPR 
guidance on this right (published in April 2018), the ICO has now 
drafted more detailed guidance which explains in greater detail the 
rights that individuals have to access their personal data and the 
obligations on controllers. The draft guidance also explores the 
special rules involving certain categories of personal data, how to 
deal with requests involving the personal data of others, and the 
exemptions that are most likely to apply in practice when handling a 
request. 


We are running a consultation on the draft guidance to gather the views 
of stakeholders and the public. These views will inform the published 
version of the guidance by helping us to understand the areas where 
organisations are seeking further clarity, in particular taking into 
account their experiences in dealing with subject access requests since 
May 2018. 


If you would like further information about the consultation, please 


email SARguidance@ico.org.uk. 


Please send us your response by 17:00 on Wednesday 12 February 
2020. 


Privacy statement 


For this consultation, we will publish all responses received from 
organisations but we will remove any personal data before 
publication. We will not publish responses received from respondents 
who have indicated that they are an individual acting in a private 
capacity (e.g. a member of the public). For more information about 
what we do with personal data see our privacy notice. 


Please note, your responses to this survey will be used to help us with 
our work on the right of access only. The information will not be used to 
consider any regulatory action, and you may respond anonymously 
should you wish. 


Please note that we are using the platform Snap Surveys to gather 
this information. Any data collected by Snap Surveys for ICO is 
stored on UK servers. You can read their Privacy Policy. 


Qi Does the draft guidance cover the relevant issues about the right 
of access? 


Oh Yes 
X No 


O0 Unsure/don’t know 


If no or unsure/don’t know, what other issues would you like to be 
covered in it? 


At Revolut, some DSARs are made by customers whose accounts have been locked on the 
basis of a security review (e.g. usually based on the Proceeds of Crime Act 2002). By 
making a DSAR, customers are trying to get as much information as they can on the 
content of our review and the evidence we hold against them. 


Financial institutions could benefit from ICO guidance on how to approach conflicts 
between a customer's right to a Data Subject Access Request and the risks of ‘tipping off’, 
which is an offence under Section 33A Proceeds of Crime Act 2002, when a Suspicious 
Activity Report has been filed to the NCA in relation to that data subject. 


Q2 Does the draft guidance contain the right level of detail? 


Oh Yes 
X No 
[I Unsure/don’t know 


If no or unsure/don't know, in what areas should there be more detail 
within the draft guidance? 


Businesses would also benefit from further guidance on how to deal with customers using 
DSAR as a means of attracting the business’ attention on unrelated issues or simply 
disrupting the business out of frustration. Revolut takes its data protection obligations 
very seriously and always addresses those DSARs in a professional way. Nonetheless, 
guidance on where the draw the line between honest DSAR and a means of disruption 
would be useful. 


Q3 Does the draft guidance contain enough examples? 


O Yes 
X No 


O Unsure/don’t know 


If no or unsure/don’t know, please provide any examples that you 
think should be included in the draft guidance. 


It would be useful for the ICO to provide examples specific to financial institutions. 


Q4 


Q5 


We have found that data protection professionals often struggle with applying and 
defining ‘manifestly unfounded or excessive’ subject access requests. We would 
like to include a wide range of examples from a variety of sectors to help you. 
Please provide some examples of manifestly unfounded and excessive requests 
below (if applicable). 


For financial institutions, a ‘manifestly unfounded or excessive’ subject access request 
would be where the data subject asks to be sent a// internal and external correspondence 
in relation to him/her. This would include guidance on whether financial institutions need 
to share every single document on which the data subject’s name appears or whether 
there are some limitations. 


On a scale of 1-5 how useful is the draft guidance? 


1 - Not at all 2 - Slightly 3 - Moderately 4 - Very useful 5 - Extremely 


Q6 


Q7 


Q8 


useful useful useful useful 
O O O Xx] O 


Why have you given this score? 


The draft guidance is quite extensive, however, as suggested in the above responses, 
financial institutions would benefit from further guidance on subject access requests 
where the data subject has committed fraud, or another offence which limits the ability of 
the business to respond to the subject access request in the fullest way. There should be 
a Clear line between respecting the data subject's right to access his or her personal data, 
and compliance with the applicable legislation (e.g.POCA 2002). 


To what extent do you agree that the draft guidance is clear and easy to understand? 


Strongly Disagree Neither agree nor Agree Strongly agree 
disagree disagree 
O O O O X 


Please provide any further comments or suggestions you may have about the draft 
guidance. 


Q9 Are you answering as: 


O] An individual acting in a private capacity (eg someone 
providing their views as a member of the public) 

L] An individual acting in a professional capacity 

X On behalf of an organisation 

O Other 


Please specify the name of your organisation: 


Revolut Ltd 
What sector are you from: 


Financial institution (EMI) 


Q10 How did you find out about this survey? 


ICO Twitter account 
ICO Facebook account 
ICO LinkedIn account 
ICO website 

ICO newsletter 

ICO staff member 
Colleague 


N ooo 


Personal/work Twitter account 
Personal/work Facebook account 
Personal/work LinkedIn account 
Other 


ENTERÉ dEl dEl Ea 


Thank you for taking the time to complete the survey. 


